I'm new to this forum and new to PF which is installed on OpenBSD 4.4. I'm currently having some issues with trying to access certain web sites that is on https. I seem to not able to load some https sites and somehow, the firewall seems to be blocking port 443 traffic. The https web site trys to load once I give it the correct username and password, but all of sudden it kicks me out. It happens on a few of the https sites I try to get to.

For testing, I connected a laptop directly on the DMZ and that https web site loaded with no problems. Also, I cannot get to my company's web mail also using https and now I'm able to access it while the laptop is still in the DMZ.

The firewall was implemented by someone else who knows PF very well and it's working nicely in my company's network.

1). Can anyone tell me how to find out if port 443 is open?

2). If that ports is not open, how can I open it? Not sure what script to use.

3). I'm not sure what's going on.

If anyone can help me out on how to diagnosis the problem and how to fix it, that would be great.

Officially, support for OpenBSD 4.4 ended on October 18, 2009. And, there have been innumerable changes to PF since then.

In order to self manage PF, since your support person is no longer available, you will need a copy of the PF User's Guide applicable for 4.4. The PF User's Guide currently at the OpenBSD project website (and mirrors) is for OpenBSD 4.8, and in May, will be updated for 4.9.

I'll cobble up a 4.4 version of the guide for you and attach it to this thread, but will not be able to get to it for many hours, so don't expect it until tomorrow. Meanwhile...

Quote:

.. I'm currently having some issues with trying to access certain web sites that is on https. I seem to not able to load some https sites and somehow, the firewall seems to be blocking port 443 traffic. The https web site trys to load once I give it the correct username and password, but all of sudden it kicks me out. It happens on a few of the https sites I try to get to...

If you are able to reach your https:// websites in order to authenticate, then whatever your problem is, it is not a port 443 problem, since an https URL will use port 443 as the destination port by default.

Quote:

...For testing, I connected a laptop directly on the DMZ and that https web site loaded with no problems. Also, I cannot get to my company's web mail also using https and now I'm able to access it while the laptop is still in the DMZ.

OpenBSD comes with a tool called tcpdump. You can use it to monitor PF block/pass decisions. It requires root (superuser) access on the firewall. Assuming you have that, and assuming your prior admin set up logging -- a big if -- you could find out what rules are blocking and passing traffic. But each rule to be tracked would need to have a "log" flag included, and many PF admins neglect to do so.

Quote:

1). Can anyone tell me how to find out if port 443 is open?

Reaching -any- https: URL and getting a web page back, as I mentioned above, requires port 443 to be open. The tcpdump tool can tell you if rules are blocking or passing traffic, if logging has been set up for individual block and pass rules. Reading your pf.conf file and looking for port 443 rules (or rules that refer to https) may give you an indication as well. Note that port 443 is a DESTINATION port number at the server, the sending port number can be completely random.

Quote:

....2). If that ports is not open, how can I open it? Not sure what script to use.

It's not a script at all, it's a text file, as mentioned above. The default name is pf.conf, stored in /etc. Meanwhile, please take a look at 4.8's PF User's Guide for a general description of PF and how it is utilized, even though rule syntax has changed significantly since 2008, when 4.4 was in development.